2.6.8.2. 从控制台创建 gatekeeper 策略
通过从控制台创建 gatekeeper 策略来安装 gatekeeper 策略。
登录到集群后,进入 Governance 页面。
选择 Create policy。在填写表单时,从 Specifications 项中选择 GatekeeperOperator。策略的参数值会自动填充,策略默认设置为 inform。将补救操作设置为 enforce 来安装 gatekeeper。请参阅 policy-gatekeeper-operator.yaml 查看示例。
+ 注: 考虑可由 Operator 生成默认值。如需了解可用于 gatekeeper operator 策略的可选参数的说明,请参阅 Gatekeeper Helm Chart。
2.6.8.2.1. Gatekeeper operator CR
apiVersion: operator.gatekeeper.sh/v1alpha1
kind: Gatekeeper
metadata:
name: gatekeeper
spec:
audit:
replicas: 1
logLevel: DEBUG
auditInterval: 10s
constraintViolationLimit: 55
auditFromCache: Enabled
auditChunkSize: 66
emitAuditEvents: Enabled
resources:
limits:
cpu: 500m
memory: 150Mi
requests:
cpu: 500m
memory: 130Mi
validatingWebhook: Enabled
webhook:
replicas: 2
logLevel: ERROR
emitAdmissionEvents: Enabled
failurePolicy: Fail
resources:
limits:
cpu: 480m
memory: 140Mi
requests:
cpu: 400m
memory: 120Mi
nodeSelector:
region: "EMEA"
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
auditKey: "auditValue"
topologyKey: topology.kubernetes.io/zone
tolerations:
- key: "Example"
operator: "Exists"
effect: "NoSchedule"
podAnnotations:
some-annotation: "this is a test"
other-annotation: "another test"